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METHOD OF PRE-AUTHORIZING HANDOVERS 
AMONG ACCESS ROUTERS IN COMMUNICATION NETWORKS 

FIELD OF THE INVENTION 

[01] The invention relates generally to telecommunications networks. More particularly, 
the invention provides a method and apparatus for pre-authorizmg handovers of 
mobile terminals among access routers in communication networks, such as wireless 
networks. 

BACKGROUND OF THE INVENTION 

[02] Mobile devices can provide both voice-based connections and packet-based data 
connections usmg different base stations and infrastructures. For example, a Web- 
enabled cell phone might maintain a voice connection using a first transmission 
channel and maintain a mobile IP connection using a second (and independent) 
transmission channel, such that handoffs occur independently for the two channels. 
Alternatively, voice services can be combined with packet services, such that a single 
connection is maintamed for both services. Voice connections can also be provided 
over IP in a combined service. 

[03] FIG. 1 shows a network with mobility features that covers three service areas SAl, 
SA2, and SA3. As shown in FIG. 1, a mobile terminal MT is within service area SAl 
served by base station BSl (also called an access pomt or AP). A service area 
generally refers to the radio coverage associated with a radio tower/base station. 

[04] Base station BSl is connected to an access router ARl, which provides access to the 
Internet. Other base stations such as BS3 may also be connected to access router 
ARl, such that a common IP address is used for mobile terminals even though the 
terminals may pass through different service areas. In other words, although there 
may be a hand off of radio frequency channels when the mobile terminal moves 
between service area SAl and service area SA3, it may not be necessary to change the 
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IP address used to communicate with the mobile terminal because the Internet 
connection is still served by the same access router ARl. 

[05] A second service area SA2 is served by a separate base station BS2, which is in turn 
connected to a different access router AR2. Due to the network topology, access 
routers ARl and AR2 use different blocks of IP addresses for communicating with 
mobile terminals roaming within their associated service areas. If mobile terminal 
MT moves from service area SAl to service area SA2, some mechanism is needed to 
hand off the Internet connection from access router ARl to access router AR2. 
Similarly, if service areas SAl and SA2 are separated by a large logical distance (e.g., 
ARl and AR2 are connected to different ISPs), some coordination mechanism is 
needed to permit data transmitted to a terminal previously operating in service area 
SAl to be forwarded to service area SA2 if that terminal moves into area SA2. 

[06] One conventional scheme for handing off IP connections is depicted in FIG. 2. 
Service area SAl is served by access router ARl, which is designated the "home 
agent" for communicating with a particular mobile terminal MT. While mobile 
terminal MT moves within service area SAl, correspondence nodes communicate 
with the mobile terminal using an IP address that is assigned by the access router ARl 
to the mobile node. IP packets (e.g., e-mail, Web pages, and the like) are transmitted 
over the Internet to the home network and are forwarded to the mobile tetminal 
through the home agent. 

[07] If the mobile terminal MT moves to a different service area SA2, served by a different 
access router AR2, packets that were previously transmitted to ARl will no longer 
reach the mobile terminal. 

[08] One conventional approach for handing off mobile nodes is to advertise (e.g., 
broadcast) the existence of access router AR2 in service area SA2, such that when 
mobile terminal MT moves into service area SA2, it is notified of the existence of 
access router AR2, and it receives a new IP address for communicating within service 
area SA2. The mobile terminal MT then sends a binding update to home agent ARl 
(e.g., through a land line LL or over the Internet), so that home agent ARl knows the 
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IP address that will allow packets to reach the mobile terminal in service area SA2. 
The home agent treats this address as a "care of address, and all further packets to 
the mobile terminal's home address are forwarded to the new IP address. In essence, 
two separate IP addresses are used to commmiicate with the mobile terminal; a home 
agent address and a care of address that changes when the MT moves into a new 
service area. 

[09] When a mobile node moves from one access router to another, the packet forwarding 
path of sessions to and from the mobile node changes. In order to minimize the 
impact of a change in access routers, relevant context is transferred from the 
originating access router to the new access router. As described in H. Syed et al., 
"General Requirements for a Context Transfer Framework," draft Internet 
Engineering Task Force Seamoby requirements work in progress (May 2001), the 
context transfer protocol entities may, in the process of estabhshing and supporting 
context transfer, acquire information that would be usefiil to the handover process in 
determining the new forwarding path; for example, the outcome of an admission 
control decision at a receiving access router. 

[10] A mobile terminal may move into an area that is served by two or more access 
routers. As with cellular telephone roaming, however, the mobile terminal may not be 
authorized to be handed off to certain access routers. Conventional handovers of 
mobile terminals from an originating access router to a target access router occur 
before determining whether the target access router is in fact authorized to service the 
mobile terminal. After the target access router accepts a handoff of a mobile terminal, 
it may perform a check to determine whether the mobile terminal is authorized to be 
serviced. If it is not, the service connection is dropped. 

[11] In other words, the handover decision from one AR to another AR is conventionally 
handled independently of whether the mobile terminal is authorized to roam into the 
network of the new AR. Typically, the mobile terminal is handed over to the new 
AR, then an authorization process ensues to determine whether the mobile terminal is 
authorized to roam into the new network. However, dropping the service connection 
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with an unauthorized mobile terminal unnecessarily wastes resources, such as 
maintaining a connection with the mobile terminal for a period of time before the 
xmauthorized service is discovered. It also wastes radio frequency spectrum, since 
radio resources are allocated to the mobile node prior to authorization. If the mobile 
node is determined not to be authorized, then radio resources must be revoked upon 
such determination of lack of authorization. 

[12] If there are several candidate access routers to which handover could result, for 
example those providing different access technologies (e.g., IEEE 802.1 1 WLANS or 
Bluetooth), a mobile node may not be authorized to roam into the network of certain 
service providers. Consequently, the conventional scheme for performing handoffs to 
access routers wastes resources and can delay handover processing. 

[13] What is needed is a system and method for addressing some or all of the 
aforementioned problems. 

SUMMARY OF THE INVENTION 

[14] The invention provides a system and method to facilitate handoffs among access 
routers in networks such as wireless networks. According to one aspect of the 
invention, an originating access router inquires as to whether a target access router is 
authorized to accept a handoff of a mobile terminal and, if such authorization exists, 
initiates the handoff to the target access router. According to another variation of the 
invention, the target access router queries a home network to determine whether the 
mobile terminal is authorized to be handed off to the target access router and does not 
initiate the handoff operation until such authorization has been obtained. 
Authorization may be provided on the basis of static information, such as 
administrative approval, or on the basis of dynamic information, such as loading 
conditions. 

[15] In both embodiments, authorization of a mobile node's handover from one access 
router to another takes place prior to the actual handover. The inventive mechanism 
also allows for authorization for mobile nodes before a handover takes place even 
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between heterogeneous networks. If there are several candidate access routers to 
which handover could result, then obtaining authorization information could help in 
determining the most favorable access router to which the handover should be made. 
Where more than one service provider permits roaming for a given mobile node, 
knowledge of relevant authorization information from the different service providers 
can allow for an optimal handover decision. Radio resources associated with the 
target access router are not used until a decision to hand over the mobile terminal has 
been made. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[16] FIG. 1 shows a conventional network covering three service areas SAl, SA2, and 
SA3. 

^|} [17] FIG. 2 shows a conventional scheme for handing off a mobile terminal between 

|J access routers, wherein the mobile terminal registers with a home agent ARl but also 

If! communicates using a second IP address through a "care of agent AR2. 

[18] FIG. 3 shows a system according to one aspect of the invention, wherein the handoff 
of a mobile terminal from an originating access router to a target access router does 
{■ ? not occur until after a determination is made as to whether the target access router is 

authorized to service the mobile terminal. 



hi 



[19] FIG. 4 shows a second embodiment of a system according to the invention using 
session initiation protocol (SIP) to traverse one network boundary and AAA protocol 
to traverse another network boundary. 

[20] FIG. 5 shows one possible configuration for an authorization database 501, 
authorization checker 503, and loading detection module 502. 

[21] FIG. 6 shows a flow chart illustrating steps of a method for handing off a mobile 
terminal to a target access router only after verifying that the target access router is 
authorized to accept a hand-off of the mobile terminal. 
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DETAILED DESCRIPTION OF THE INVENTION 

[22] FIG. 3 shows a system employing various principles of the invention. As shown in 
FIG. 3, a first access router ARl serves a first service area SAl in which a mobile 
terminal MT may be located. Although not explicitly shown in FIG. 3, it is assumed 
that each access router transmits and receives data packets through one or more base 
stations that cover corresponding geographic areas. It is also assumed that each 
access router provides Internet-compatible services (e.g., IP protocol compatibility) 
such that data packets received at each router can be forwarded to one or more mobile 
terminals within the corresponding service area, although the invention is not limited 
in this respect. 

[23] Suppose that mobile terminal MT moves fi*om area SAl, which is served by access 
router ARl, to area SA2, which is served by access router AR2. It is assumed that 
access router ARl and AR2 conmiunicate either directly or indirectly (e.g., through 
the Internet, land lines, other devices, or wireless means) as depicted by path 301 such 
that ARl can effect a handoff of mobile terminal MT to AR2. AR2 further 
communicates with an AAA server ASl as depicted by path 302. AAA refers to 
Authentication, Authorization and Accounting, which generally defines protocols and 
services relating to accounting and authorization for network services, see, e.g., IETF 
RFC 2924, September 2000 and "Diameter Mobile Ipv4 Application," Internet Draft, 
July 2001. Server ASl communicates with a home server HS located in a home 
network SA3, as depicted by path 303. Home server HS contains authorization 
information AUTH as explained in more detail below. 

[24] As shown in FIG. 3, communication path 301 between ARl and AR2 may be 
implemented using the Session Initiation Protocol (SIP), whereas communication path 
302 between AR2 and ASl may be implemented using an AAA protocol such as 
DIAMETER. Communication path 303 between ASl and home server HS may also 
be implemented according to the DIAMETER protocol. In one variation, ARl 
transmits a SIP message with an OPTION method that contains details regarding the 
mobile terminal and the target access router AR2. This message is then translated 
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into a suitable DIAMETER message for transport over the interfaces where 
DIAMETER is used. The Session Initiation Protocol (SIP) is described in the Internet 
Engineering Task Force (IETF) Request for Comment number 2543. 

[25] According to one aspect of the invention, prior to performing the handoff of mobile 
terminal MT from ARl to AR2, access router ARl contacts AR2 to inquire about 
authorization information for mobile terminal MT, AR2 in turn contacts server ASl 
for such information, which in turn contacts home server HS via path 303 to 
determine whether the mobile terminal is authorized to be handed off to access router 
AR2. If the mobile terminal is authorized, the handoff proceeds; otherwise, the 
handoff is aborted. Arranging a handoff may include procedures of context transfer 
(see, e.g., R. Koodh and C. Perkins, "A Context Transfer Framework for Seamless 
Mobility," Work in Progress, Internet Draft, February 2001), or fast handover (see, 
e.g., G. Tsirtsis et al, "Fast Handovers for Mobile IPv6," Work in Progress, Internet 
Draft, April 2001). 

[26] According to one aspect of the invention, radio resources are not used during the 
authorization process in order to determine whether the handoff should proceed. For 
example, AR2 need not allocate a radio channel to communicate with the mobile 
terminal until after it has been determined that the mobile terminal is authorized to be 
handed offto AR2. 

[27] The linking of an access router such as AR2 to an AAA server such as ASl via 
DIAMETER, and the ftirther linking of an AAA server such as ASl to a home 
network server such as HS via the DIAMETER protocol, is conventional and 
described m the 3'"^ Generation Partnership Project (3GPP2) specification TS 23,228 
version 5.0.0 (April, 2001). However, the use of the architecture m the manner 
described above to perform pre-handover authorization between two access routers 
serving different networks is not conventional. 

[28] FIG. 4 shows an alternate embodiment according to the invention. According to this 
embodiment, ARl commxmicates with AR2 using the SIP protocol as indicated by 
path 401. AR2 communicates with a SIP server SSI also according to the SIP 
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protocol as indicated by path 402. SIP server SSI communicates with a SIP server 
SS2 in the home network as indicated by path 403. Finally, SIP server SS2 
commxmicates with AAA server HS using the DIAMETER protocol, as indicated by 
path 404. All of these communication paths are intended to be illustrative only; other 
protocols and conmiunication methods can be used to inquire about authorization 
information in accordance with the invention. For example, authorization information 
can be pre-stored or cached in a particular access router, avoiding the need to access a 
home network. 

[29] FIG. 5 shows one possible embodiment of an authorization database such as database 
AUTH shown in FIG. 3 and FIG. 4. Authorization information may comprise static 
information (e.g., an administratively created list of mobile terminals and the access 
routers to which they are authorized to be handed off), or dynamically changing 
information (e.g., authorization based on dynamic loading conditions or other 
criteria). Additionally, authorization information may be limited by time of day, or a 
subscription plan to which a mobile subscriber belongs (e.g., a "gold" plan allowing 
access to all routers; a "silver plan" allowing access to certain routers; and a "basic" 
plan allowing access to a limited number of access routers). 

[30] In one embodiment, subscribers using mobile terminals are identified according to an 
identifier such an International Mobile Subscriber Identity (IMSI), which is typically 
recorded in the nonvolatile memory of a mobile terminal such as a mobile telephone. 
The location of mobile terminals can be identified according to a hierarchical 
identification scheme, such as a concatenation of Public Line Mobile Network 
(PLMM) identifier, local area identifier, and base station identifier. Other schemes 
for identifying subscribers of mobile terminals as well as their location, and storing 
authorization information for such mobile terminals in a database, are possible, 

[31] As shown in FIG. 5, an authorization checker function 503, which may be 
implemented in software within home server HS, checks for a given mobile ID 
whether the mobile ID is authorized to be handed off to a given candidate access 
router. In one variation, the authorization comprises a simple table look-up based on 

-8- 

421217_LDOC 



BW 5288.00025 NC 17414 

a list of allowed access routers for a given mobile tenninal. In alternate embodiments, 
more sophisticated authorization may be stored. For example, certain mobile 
terminals may be restricted from accessing certain access routers except during a 
particular time of day. Mobile terminal subscribers may be assigned to a subscription 
plan that determines the level of access (e.g., how many access routers and under 
what conditions they can be accessed for handoff operations). Moreover, dynamic 
authorization information can be used to authorize mobile terminals on the basis of 
dynamic conditions such as loading of a particular access router. In this regard, a 
loading detection module 502 can be implemented to operate in conjunction with a 
loading parameter to modify the allowed list of access routers based on how heavily 
the access routers are loaded, such that subscribers who pay extra money get 
preference during peak loading conditions. Current loading conditions can be 
provided from access routers to home network servers in order to share information 
concerning loading conditions. Other variations are of course possible. 

[32] FIG, 6 shows a flow chart illustrating various steps that can be carried out in 
accordance with the invention. In step 601, a mobile terminal wishes to move from 
an area serviced by a first access router ARl to an area serviced by a second access 
router AR2. This can be determined by the mobile terminal receiving an 
advertisement from the second access router including a router ID. In some cases, the 
current AR may detect the mobile terminal roaming into another service area and 
wish to instruct the mobile terminal to go to a particular router and connect to a 
particular access point. 

[33] In step 602, access router ARl sends an inquiry to AR2 inquiring about authorization 
for the mobile terminal to be handed off to AR2. In an alternate embodiment, shown 
at steps 608 and 609, ARl sends the inquiry to the home server for an authorization 
check, bypassing steps 602 through 604. As discussed above, access router AR2 may 
have pre-stored information regarding authorizations for particular mobile terminals 
to be handed off, avoiding the need for steps 602 through 604 and 608 altogether. In 
other words, the database query could occur locally within AR2 rather than requiring 
transmissions to another computer. 
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[34] In step 603, AR2 forwards the inquiry to an AAA server, which in step 604 forwards 
the request to a home server corresponding to the mobile terminal In step 605, a 
determination is made as to whether the mobile terminal is authorized to be handed 
off to AR2 using the principles outlined above. If the mobile terminal is not 
authorized to be handed off to AR2, then in step 606 the handoff is rejected, 
preferably without using any radio frequency resources between AR2 and the mobile 
terminal On the other hand, if the mobile terminal is authorized, then in step 607 the 
handoff to AR2 is initiated. In the embodiment shown in FIG. 4, the steps are 
modified slightly to account for the existence of SIP servers SSI and SS2. 

[35] In an alternate embodiment, access router ARl can query home server HS through 
another path (e.g., directly or over the Internet), rather than going through access 
router AR2. In this embodiment, access router ARl may learn of the existence of 
AR2 through other means (e.g., from the mobile terminal; through an administrative 
table; or through a learning function that detects the existence of AR2 through queries 
and responses). 

[36] It should be appreciated that the principles of the invention can be applied not only to 
mobile IP networks, but to networks of other types. For example, the inventive 
principles can be applied to perform handovers between a wireless LAN and a GPRS 
network. 

[37] It should also be appreciated that access routers may cache authorization information, 
avoiding the need to query the home network for authorization information. In the 
configuration shown in FIG. 3, for example, access router AR2 may be provided with 
authorization information for a plurality of mobile terminals from home network 
server HS. Thereafter, AR2 can query its locally cached version of authorization 
information in order to respond to an authorization inquiry from ARl. Moreover, 
access router ARl may query authorization information from home server HS through 
another path (e.g., over the Internet), without going through access router AR2. Other 
combinations and paths are of course possible. 
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[38] Any or all of the functions depicted in the figures can be implemented using computer 
software executing on a general-purpose or special-purpose digital computer. The 
authorization information can be stored in a computer memory, relational database, or 
other data structure. Conventional access routers can be modified to incorporate the 
fimctions illustrated in FIG. 3. 

[39] As used herein, the term "mobile terminal" should be understood to include IP- 
enabled cellular telephones and wireless telephones equipped to communicate using 
other protocols; wirelessly accessible Personal Digital Assistants (PDAs) such as 
those manufactured by PALM Inc.; notebook computers that can commxmicate 
wirelessly; and other mobile devices that can communicate using packetized digital 
communications over various transmission technologies (including CDMA, GSM, 
TDMA, and others) or media (radio, infrared, laser, and the like). 

[40] The term "access router" should be understood to include computer-implemented 
devices that route packets, such as IP packets, to addresses in a network based on 
routing information. However, it should be understood that access routers are 
generally distinct from base stations/access points, which may rely on different 
transmission schemes to transmit information (e.g., GSM or CDMA). One or more 
base stations could be associated with a single access router, as shown in FIG. 1. 
Alternatively, more than one access router could be associated with a single base 
station. 

[41] The term "mobile IP network" should be understood to include a network or networks 
(even if incompatible in transmission technology or operated by different carriers) 
that communicate wirelessly with mobile terminals using Internet Protocol. 

[42] While the invention has been described with respect to specific examples including 
presently preferred modes of carrying out the invention, those skilled in the art will 
appreciate that there are numerous variations and permutations of the above described 
systems and techniques that fall within the spirit and scope of the invention as set 
forth in the appended claims. Any of the method steps described herein can be 
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implemented in computer software and stored on computer-readable mediimi for 
execution in a general-purpose or special-purpose computer. 
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